CVE-2025-40328

Vulnerability

Overview

A use-after-free (UAF) vulnerability exists in the Linux kernel's SMB client implementation, specifically in the function smb2_close_cached_fid(). The root cause is a race condition where find_or_create_cached_dir() could obtain a new reference to a cached directory fid after kref_put() had already decremented the reference count to zero, but before the cfid_list_lock is acquired. This race window allows the object to be freed and then re-referenced, leading to a use-after-free condition [1].

Exploitation

To exploit this vulnerability, an attacker would need local access to the system and the ability to trigger SMB operations that manipulate cached directory file identifiers (fids). The race condition occurs between the reference count drop and the lock acquisition, requiring precise timing. No authentication is needed beyond local user access, as the SMB client operations are triggered by user-space processes [1].

Impact

Successful exploitation could allow an attacker to cause memory corruption, potentially leading to a denial of service (system crash) or, in some cases, arbitrary code execution in kernel context. The vulnerability is rated with a CVSS score of 7.0 (High), indicating significant impact on confidentiality, integrity, and availability [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commit 734e99623c5b. The patch replaces the unprotected kref_put() with kref_put_lock(), ensuring that the release function cfid_release() is called while holding cfid_list_lock, thus closing the race window. Users are advised to update their kernel to a version containing this commit [1].